Researchers have tracked Magecart-like infections on more than 40,000 domains since 2015. The researcher says that during August, September, and October, his scanner detected Magecart-like card skimming malware on over 5,400 domains. 21.3 percent of the cleaned shops got reinfected. A large number of reinfections occurred within the first day, or after a week, but on average, the reinfection time was 10.5 days.
"This shows that countermeasures taken by merchants and their contracted security firms often fail. There are multiple reasons for this," the researcher said. The expert listed: 1/ Magecart operatives often litter a hacked store with backdoors and rogue admin accounts. 2/ Magecart operatives use reinfection mechanisms such as database triggers and hidden periodic tasks to reinstate their payload. 3/ Magecart operatives use obfuscation techniques to make their presence indistinguishable from legitimate code. 4/ Magecart operatives utilize unpublished security exploits (aka 0days) to hack sites, exploits for which there are no patches. "All in all, it takes some very keen eyes and a lot of effort to clean all traces of a breach," he said.